About firewall certification

Unwanted traffic protection tool

Being an interested person in the field of GIS certification, I decided to present some thoughts on the certification of firewalls. The article focuses on problems that for some reason are very reluctant to be solved at the moment. If this topic is interesting to you and you want to discuss it, welcome to Cat.

Firewalls - integrated software or hardware that allows for the proper level of security to control the quantity and quality of network packets passing through it. A firewall analyzes network traffic based on a specific set of rules, according to which all data is filtered.

Thus, the main task of the ME (firewall, firewall, firewall) is to protect autonomous nodes or shared computer networks from unauthorized third-party access, which can use the data for their own purposes or cause irreparable harm to the network owner. That is why firewalls are also called filters, which do not let out the data packets that are not suitable for the criteria specified in the configuration. Network traffic can be filtered at any level of the OSI model. As criteria, information from different levels can be used: port numbers, the contents of the data field, the sender / recipient address.

State information technology control authorities define the firewall more specifically as one of the components of an extensive information security system, which includes a number of additional features to ensure its effective operation. A firewall is optional for the owner of the network. Despite the fact that he is fully responsible for the safety of confidential information, at the moment such a system of protection in the Russian Federation is not widespread at the proper level. Ideally, it should be implemented in every internal network to monitor incoming / outgoing information flows around the clock. The information security monitoring system to some extent replaces additional network security tools at present, but this is not enough to define a personal security system as a combination of high-level hardware.
')

Prevalence ME

It has long been known to everyone that protection must always be comprehensive, and even a correctly configured ME with all the necessary set of rules does not provide the user with absolute protection. Therefore, the use of ME should be made using antivirus programs that detect and neutralize various malicious programs, detect infected files, isolate suspicious files, and control executable processes in the system. The complexity of this approach solves the problems arising from the specialization of information protection tools, when each tool helps to prevent only certain security threats.

Depending on the type of ME, it is possible to isolate and protect applications, machines and internal network services from unwanted traffic coming from the external Internet, prohibit or restrict access of internal network hosts to external web services and support network address translation, which allows using private networks IP addresses. Firewalls filter all inbound / outbound traffic that passes through each user's personal system. Depending on a number of additional characteristics they may belong to a certain security class, for this it is necessary to obtain a certificate.

In the course of work, a DOE can be “guided” by one or several sets of installations, thanks to which each network packet is checked and filtered. This process is carried out both at the input and at the output of the packets through the network connection channels. According to the results of the check, traffic can either get access to a further passage or be blocked. At the same time, the settings of the firewall itself contain settings that indicate specific characteristics of the network packets to be checked during filtering. The type of protocol is not a restriction, as well as the address of the host and the destination or source port.

Firewalls significantly increase the security level of a local network. But their functionality is not limited to this, MEs perform various tasks that are necessary for the user or organization at the moment.

Characteristics of an effective ME

Currently, the firewall market is represented by many different models with different functionalities. Network remedy interests both users and developers, suppliers (interested in large sales of a circle of people). Until the entry into force of the law “On Personal Data”, it was much easier to sell hardware, as a mandatory product certificate was not required. At present, the situation has become somewhat more complicated, it is impossible not to include the required protection parameters in the hardware, but to sell it at a high cost as a product of a high level of security. The use of each type of firewall used to protect personal data is clearly regulated, as is each of its individual characteristics. All regulations freely inform users and developers, which ultimately should be a firewall belonging to one of the five classes of security.

The legislature ultimately comes to the conclusion that for effective protection of personal data only certified hardware should be used. This is directly related to firewalls. Buying an unverified product, the user has every chance of getting a fake. For example, a firewall with a minimum set of features can be bought at a lower cost.

Problems in the field of ME certification

Despite the clear definition of the concept of "firewall", whose properties are reduced to filtering unwanted information that can cross the network boundary, developers do not always create a functional tool that meets the certification parameters. This may be due to the bad faith of the seller, as well as the incompetence of the developer who made a mistake (one or more) during the creation of the hardware.

The regulator determines the main indicators with which each DOE should correspond to a certain certified class. There are regulations that clearly spell out the requirements for the remedies offered to users.

The developer can call any hardware as a firewall, but it will not be certified until it meets all the parameters shown in these and a number of additional provisions and official documents.

Mandatory preliminary testing of the software product before it goes on sale. Issuance of the relevant certificate by the supervising authority - the main confirmation of compliance of the Ministry of Economy of the Republic of Moldova
However, many experts emphasize an outdated approach to studying this issue, the Guiding documents have not changed, they have not been amended for a long period of time. This means that the state of affairs in the field of information technology at the moment is somewhat different from that which was a decade ago. However, this skeptical point of view does not hinder the desire of many developers and suppliers to obtain a certificate.

Certified DOEs belong to one of five classes of personal information security. This classification is intended for customers and developers of ME, as well as computer networks, distributed automated systems for use in the formulation and implementation of requirements for their protection from unauthorized access to information.

The higher the class of the firewall, the greater the requirements for it, the harder the generally accepted characteristics analyzed. All standards are spelled out in the Guidance Document “Computer Hardware. Firewalls Protection against unauthorized access to information. Indicators of security against unauthorized access to information ”, approved on July 25, 1997. So far, the FSTEC has not made any amendments to the document, which indicates a certain disregard for innovations introduced by developers into firewalls in particular.

Each security measure that has been certified by the FSTEC since the moment the document appeared was included in the State Register. The document is available for review to everyone, which allows the buyer ME to get a preliminary approximate picture with regards to the product entered in the register or its analogue, even before the purchase. It is worth noting that in some hardware codes there are gaps in the document, not all units were added to the general list in time. This may lead to distortion of information.

Currently, not all firewall developers can certify their product, as it does not comply with the requirements of the RD of the Russian Federation. One of the most common reasons for which a refusal of certification can be obtained is the lack of a function that allows filtering traffic at the transport and network layers (meaning both an integrated approach and considering each level separately). Such MEs control network packets exclusively at the application level, which greatly reduces the efficiency of the firewall as an integrated hardware. This product is easy to develop, does not require significant time and material costs. A firewall with such “narrow” characteristics has a chance for certification in the absence of NDV, however, during certification, the very concept of “firewall” is not considered.

From this it follows that, in accordance with the requirements for certification of information protection means, the firewall must be certified as a firewall of a certain class for compliance with the FHEC RD. As certification for the absence of NDV or the possibility of using the AU / ISPDn / IP in this case does not give a correct assessment of the considered GIS, as a firewall.

If the customer is not so important strict compliance of the DOE with a certain class of security that should be displayed in the certificate, he does not request this document upon purchase. This is true in some industries that use information security tools that have not been tested before.

If the product is certified according to the specifications, which reflect clear requirements of the governing documents regarding the management of incoming / outgoing information flows, its functionality is checked. Currently, FSTEC does not consider such firewalls to be certified as products of generally defined information protection classes.

It is important for the customer to pay attention to the above nuances even before purchasing a firewall, not relying solely on the honesty and competence of the manufacturer. In advance, you need to familiarize yourself with the regulatory documents that allow you to understand the mechanism of verification of DOE for compliance with the norms.

If you suspect that the functions prescribed in the certificate are available, you can contact the FSTEC to re-certify the product, which will confirm its authenticity or refute it. Additionally, study the features of the current certification system so that there will be no problems with the product in the future. The user of the hardware is the primary responsibility.

In the event of a failure of the ME or its inefficiency, which occurred due to the lack of necessary functions, questions would arise not to the firewall developer, but to the ME administrator or the product buyer who did not verify its authenticity in time.

Certification of information security tools (in particular, firewalls) can only be carried out by special accredited and federal state certification bodies. After receipt of the application for testing the system, the reins of control are transferred to testing centers that have the necessary level of certification, as well as a specific material and technical base allowing to carry out similar tests of hardware information protection systems. In some cases, it is possible to conduct tests of DOE on the basis of the applicant, but this process takes place with the permission of the federal authority under its strict control. The authenticity of the issued certificate can be verified in other laboratories if the regulator has doubts about the plausibility of the research results.

Instead of conclusion

Firewalls are used as the basis for building an information firewall system. Today, there are more than one hundred families of firewalls, which leads to the complication of the certification procedure in connection with determining the level of the firewall in relation to the RD FSTEC of Russia. The set of methods that is currently used is standard and, as a rule, it is developed separately for each firewall being tested in a separate testing laboratory. Such methods of certification tests are schematic in nature, and this leads to the complication of optimizing actions to assess the conformity of the applied firewall and computer networks.